What is OAuth? | Learn the Basics of Open Authorization
First released in 2007, OAuth has become a staple authorization method on many websites—especially those that wish to collaborate with other organizations.
We all know the cardinal rule to never share your password—and that’s never been more true! Despite their popularity, passwords aren’t as secure as we once believed. Around 90% of user-generated passwords are vulnerable to hacking.
OAuth is an important piece of any organization’s website authentication because it protects users’ credentials. However, there tends to be a lot of confusion surrounding this authentication method and how it actually works.
If your website requires a login to access particular information, understanding how OAuth works and using it in your website authentication can improve your user-experience and secure your user data.
Sound interesting? Keep reading as we cover four important questions about OAuth:
- What is OAuth?
- How does OAuth work?
- Why is OAuth a popular authorization method?
- Is OAuth more secure than other token-based methods?
A lot of topics discussed in this article require some basic knowledge of website authentication. Use our comprehensive guide to brush up on the topic before you get started with OAuth!
We’ll start with the most important question: What is OAuth?
Open authorization (or OAuth for short) is a type of token-based authentication method that allows organizations to share information across third-party services without exposing their credentials. Essentially, OAuth is the middle-man that provides third-party services with a token that allows specific account information to be shared.
In other words, OAuth is a process in which users grant websites or applications information on another website without providing their login credentials. OAuth ensures that the website requesting the information has the right permissions to access the user’s data.
A common misconception about OAuth is that this process also verifies the user’s identity otherwise known as authentication. As a result, OAuth often gets confused with single-sign-on (SSO) authentication. While the two processes are very similar, they have one key distinction: SSO authenticates users whereas OAuth authorizes users.
To better understand the distinction, let’s break down what authentication and authorization mean:
- Authentication is the act of verifying a user’s identity. When users enter their usernames and passwords (or use a passwordless credential), the website uses this information to confirm that the person is an authorized user.
- Authorization occurs after users have been authenticated when the system checks to see what permissions a user has. A user’s permissions dictate what the person sees and what actions they can take on the website.
OAuth is simply there to make sure that third-party websites have the right permissions to access a user’s information.
You’ve probably used OAuth without even realizing it. For example, whenever you give a website permission to access your Facebook information you’re using open authorization.
Takeaway: OAuth can be used to grant websites information that’s located on a different website and shouldn’t be confused with authentication, which verifies the user’s identity.
If you know a thing or two about token-based authentication, then OAuth is pretty simple to understand. The process in which a website obtains a token is called a flow, and in the OAuth flow, there are three key players: the user, the consumer, and the service provider.
To better explain how this process works, let’s imagine that your organization (the user) wants to use a social media management tool to schedule and publish your Facebook posts. In this example, Facebook is the service provider and the social media management tool is the consumer.
Let’s get started:
- The user requests an action. In this initial step, you’ll let the social media management tool know that you want to automatically publish posts using their service.
- The consumer gets permission from the service provider. The social media management tool will ask Facebook to grant them permission to access your account and publish posts. In return, Facebook will send them a token with a unique signature or secret that verifies the management tool’s actions.
- The user is redirected to the service provider. Once the social media management tool has the token, they’ll redirect you to Facebook’s login page.
- The user gives the consumer permission. When you’re redirected to Facebook’s login page, it will ask for your username and password and to confirm that you want the social media management tool to be able to post on your behalf. Once permission has been granted, the token will be approved and used every time the social media management tool makes a request.
- The consumer accesses protected permissions. Now that the social media management tool has the token, they are able to complete tasks because the token delegates what permissions they have access to.
It’s important to note that never in this interaction did you have to give your login credentials to the social media management tool. The token acts as a placeholder. What’s more, the token doesn’t give the consumer total access to your account.
For example, if the social media management tool made a request to change your Facebook account settings, this action with be denied because the token only states that the consumer has permission to post on your behalf.
Takeaway: OAuth is a process that lets third-party websites known as consumers request permission to complete certain tasks. When a consumer wishes to complete a task, it must present the token that outlines what they’re allowed to do.
In order to understand why OAuth is so popular, we have to look at how information was shared before its existence. If a user wanted to give a website information from a different account, the individual had to give their credentials to the third-party website. As a result, many not-so-credible websites were taking advantage of this weakness and using a person’s credentials to obtain sensitive information.
Additionally, this process doesn’t restrict what actions another website can do. With your username and password, the third-party website could:
- Make changes to your settings
- Access sensitive information like a credit card number
- Change your credentials and block your access to the account
OAuth originated as a process that didn’t share credentials and dictated what a website had the ability to do.
Having a secure way to share information across different websites means that companies can collaborate more often and provide convenient services for their users.
Since OAuth is a type of token-based authentication method, it can also be used as a way to replace the need for a user to have a separate set of credentials for every website.
You’re probably familiar with sites that let you log in using your Facebook and Gmail accounts. Essentially this process uses a form of OAuth. The user grants the website permission to access information from their Facebook account. As a result, Facebook handles the authentication process.
OAuth not only makes it easier for the third-party website to gain the information they need, but it also makes the process more convenient for the user.
Takeaway: OAuth is a popular solution for both websites and users because it’s more secure than sharing credentials and allows users to utilize services across multiple platforms.
Since OAuth doesn’t share your credentials with other websites, it’s more secure than the alternative method we mentioned above. However, it’s important to be aware that OAuth has its weaknesses:
One of the most crucial weaknesses in the OAuth process is when users are redirected to the service provider’s website where they must enter their credentials.
Let’s go back to our example in the second section:
If the social media management tool that requested access to your Facebook turned out to be a malicious website, they might direct users to a site that looks just like Facebook. When you log in, the malicious website will take your password and username. That’s why it’s always important that to make sure that you’re being directed to the correct website when you grant the consumer access.
Additionally, without the right specifications, OAuth tokens don’t expire. As a result, these tokens are vulnerable to attacks. If a hacker gains access to a token or the secret that verifies the token, they would be able to trick the system into making unauthorized requests.
While OAuth might not be the best way to authorize actions, that doesn’t mean that all passwordless or token-based methods aren’t secure.
In fact, many token-based methods like email authentication provide users with a secure option. Let’s say you wanted users to be able to log into their accounts without a password or username. Email authentication allows users to complete the login process using their primary email account.
Here’s how Swoop’s email authentication process works:
- The user clicks on the “Login” button which triggers a mailto link. This link will direct the user to a pre-written email.
- Every email has a unique DKIM signature that identifies the user and is sent to a unique Swoop email address that identifies what action the user is requesting (in this case accessing their account).
- When the user hits “Send,” Swoop conducts three layers of security measures to ensure that the request came from the correct user. This process only takes a couple of seconds and then the user can access their account.
This process is much more secure than OAuth because the user won’t be redirected to a login screen where they have to enter their credentials.
Takeaway: While OAuth is more secure than password login systems, it does have its weakness. Businesses and nonprofits looking for an even more secure login system should consider email authentication as an alternative option.
Now that you’re familiar with the ins and outs of OAuth, you’re ready to improve your website security and user experience.
For more information about website authentication and security protocols, check out these additional resources:
- Are your Passwords Compromised? Why Your Company Is At Risk: Interested in learning more about the weaknesses of passwords and how they could be affecting your corporation’s security? Keep reading this article to find out more.
- 5 Things You Need to Know About Fingerprint Scanning: If you’re interested in using fingerprint scanning as a password alternative for your website authentication, check out this list of 5 facts before finalizing your decision.
- Understanding User Authentication: 3 Basics You Should Know: As you might have guessed, OAuth is part of a much larger discussion on user and website authentication. Get an in-depth understanding of user authentication with this article.
This post was written by Jamie L.